perf session: Check for decompression buffer size overflow

On 32-bit systems, sizeof(struct decomp) + decomp_len can wrap
size_t when comp_mmap_len is large.  The preceding patch validates
comp_mmap_len alignment but does not cap the upper bound, so two
additions can still overflow:

1. decomp_len += decomp_last_rem: on 32-bit, adding a u64 to
   size_t silently truncates, producing a corrupted decomp_len
   that would bypass the subsequent overflow check and result
   in an undersized buffer allocation.

2. sizeof(struct decomp) + decomp_len: the final addition could
   overflow on systems with small size_t.

Add explicit overflow checks before each addition as
defense-in-depth.

Reported-by: sashiko-bot@kernel.org # Running on a local machine
Reviewed-by: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Claude:claude-opus-4.6-1m
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

diff --git a/tools/perf/util/tool.c b/tools/perf/util/tool.c
index 18641919473a859f1e636d496d05ca7116493d08..25c9b378aa163664115d0892ab55fdc565611434 100644 (file)
--- a/tools/perf/util/tool.c
+++ b/tools/perf/util/tool.c
@@ -34,9 +34,22 @@ static int perf_session__process_compressed_event(const struct perf_tool *tool _
                if (decomp_last->head > decomp_last->size)
                        return -1;
                decomp_last_rem = decomp_last->size - decomp_last->head;
+               /*
+                * Check before adding: on 32-bit, size_t += u64
+                * silently truncates, bypassing the overflow check
+                * below and producing an undersized buffer.
+                */
+               if (decomp_last_rem > SIZE_MAX - decomp_len - sizeof(struct decomp)) {
+                       pr_err("Decompression buffer size overflow\n");
+                       return -1;
+               }
                decomp_len += decomp_last_rem;
        }
 
+       if (decomp_len > SIZE_MAX - sizeof(struct decomp)) {
+               pr_err("Decompression buffer size overflow\n");
+               return -1;
+       }
        mmap_len = sizeof(struct decomp) + decomp_len;
        decomp = mmap(NULL, mmap_len, PROT_READ|PROT_WRITE,
                      MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);